Wednesday, August 17, 2011

Email attachments that contain malicious code are still being used to infect computers and steal the data found on those computers. While it is easy to find people who discount this threat, believing no one would be foolish enough to open one of these email attachments, the criminals are working hard to make their approaches more convincing.

Today we've seen more than 11,000 copies of their newest attempt come in to the UAB Spam Data Mine. The email received looks like this:

The email contains several falsified header indicators, including at the most basic level that it claims to come from "@nyc.gov". In addition to this, however, there has been a "Received:" tag added to make it appear to have originated from a legitimate New York City IP address:

The City of New York is the registrant for every IP address beginning with "167.153.*.*" - in fact 167.153.240.51 is the IP address of the website "nyc.gov" where Mayor Bloomberg's homepage can be found.

The other false information is the date. Both the date in the Received: tag and the date in the "Date:" tag have been falsified to make it seem this email has been in your in box for several days by the time you see it.

Just from the falsified header, we would predict that this email is going to be in the same family of malware as the "IRS Notification" and "UPS Notification" emails seen earlier this week, which also contained falsified Received: tags.

The zip file contains an executable file disguised as a PDF file:

When the malware is launched, it connects to "sfkdhjnsfjg.ru" on 195.189.226.117.

from there it fetches "/ftp/g.php" and "pusk3.exe" -- exactly the same as the IRS Notification spam and the UPS Notification spam.

Money Transfer Information
MONEY TRANSFER INFORMATION
Money Transfer Information 00375
Money Transfer Notice
MONEY TRANSFER NOTICE
MONEY TRANSFER NOTICE 06457
Western Union: Money Transfer For You
WESTERN UNION: MONEY TRANSFER FOR YOU
Western Union: Remittance Advice
WESTERN UNION: REMITTANCE ADVICE
Western Union: Transfer Of Money
WESTERN UNION: TRANSFER OF MONEY
Western Union: You Have Money Transfer
WESTERN UNION: YOU HAVE MONEY TRANSFER
Western Union: You have received a money transfer
WESTERN UNION: YOU HAVE RECEIVED A MONEY TRANSFER

Another top spammed malware attachment today delivers emails with these subjects:

Re: End of July Statement Required
Re: FW: End of July Stat.
Re: FW: End of July Statement
Re: FW: End of July Statement required
Re: FW: End of July Statement Required
Re: FW: End of July Statement REquired
Re: FW: End of July Statement REquired!
Re: FW: End of July Stat. required
Re: FW: End of July Stat. Required

The email body says simply:

Hallo,
As requested i give you open Invoices issued to you as per 5th Aug. 2011
Regards
DEENA BUCKLEY

Wednesday, August 10, 2011

This morning we are seeing a new spam campaign in the UAB Spam Data Mine. Volumes are still low, but the count is rising steadily, and the detection so far is horrible. When I started writing this post we had seen 710 copies. It's now up to 1389 copies and counting!

Actually, we confirmed that this is the file that was downloaded as "light.exe" above. The VirusTotal report shows only 4 of 43 infection reports for this file as well. See VirusTotal Report.

Unfortunately, it disproves my MD5 theory. This is NOT the "ahash" value. This file's MD5 is f58d5cbb564069eca8806d4e48d7a714.

Launching the second file caused the machine to open an SSL tunnel to 78.111.51.121 and then sit idle.

You may recognize that as the IP address for "ledinit.ru" earlier, but it didn't make a connection by name. It went straight for the IP address. If that IP sounds familiar, it's probably because there have been many other malware campaigns tied to the network "Azerbaijan Baku Sol Ltd", but I'm sure that's just because it's a very large network.

78.111.51.100 is currently hosting three live Zeus C&C servers. Surely a coincidence.

Friday, August 05, 2011

We've already seen nearly 500 copies of the new Government-related Zeus spam campaign so far this morning in the UAB Spam Data Mine. As has been typical in this campaign that we first started tracking on July 13th, the detection has been fairly horrible each morning for the new malware version. We lasted updated on this malware on July 29th in our story Government-related Zeus Spam Continues.

Today's version advertises the domain "tax-irs-report.com" and asks users to download the file 0000770950077US.pdf.exe from that site.

190 different computers have sent us the spam for this campaign so far today. 118 of them from the USA, 40 from India.

When we asked the UAB Spam Data Mine what other virus links we had been sent by this same group of 190 computers on other days, we got this list:

So, at least some of today's spamming computers have been with this campaign since the beginning (July 13th).

When today's malware is executed it sets a registry key in "HKEY_USERS\S-1-5(my user)-500\Software\Microsoft\Windows\CurrentVersion\Run" to relaunch itself from my current user account where it had copied itself as "C:\Documents and Settings\Administrator\Application Data\Afena\iror.exe"

It makes connection to domains generated with a DGA (Domain Generation Algorithm). Today's live domain was:

olojkpcltulirqr.info on 50.57.71.39

from there it did a GET for /news/?s=158404

It tried many other domains, but none of the others were live. Some of them include:

Wednesday, August 03, 2011

The top malware spam of the morning is another Fake Antivirus product, but as you'll see in today's story, its a very familiar Fake AV product.

About 1/2 of 1% of the spam we've seen this morning is a new campaign spreading a fake antivirus dropper. The malware has a fair detection rating, with 17 of 43 AV products detecting the malware according to VirusTotal in their report for MD5 = 635aceafb9ee4236e50e7d0f6c7a7895.

The email bodies use some random misspellings, but look something like this:

The attachment filename is "map_of_love###.zip" where ### is a random number of length between 4 and 8 characters.

Thanks to the UAB Spam Data Mine, it's fairly easy for us to link this new Fake AV spam campaign to previous ones. For example -- we've seen 520 distinct sending IP addresses so far this morning, so let's ask "What was the most common email subject that those same sending IP addresses sent us yesterday?"

43 of the IP addresses sent us an email yesterday with the subject "Your credit card is blocked"

The other big fake AV campaign from yesterday was one pretending to be the US Postal Service. We saw 814 copies of that spam yesterday, and 154 of them came from computers that also sent us today's "Love Map" malware.

How closely related are the "MasterCard" fake AV and the USPS fake AV? Well, they are actually IDENTICAL. Its the same Malware. Here's a report extract from yesterday showing the email subject and the MD5 of the attached malware: